CSP Everywhere & HSTS Preload

Content Security Policy

• All SpeyBooks domains now return Content-Security-Policy headers
• Each domain has a tailored CSP matching its content requirements
• API endpoints use a strict restrictive policy

HSTS Preload

• speybooks.com submitted to the HSTS preload list — browsers will enforce HTTPS-only before first visit once propagated to Chrome, Firefox, and Safari